Safe Harbor on Cyber is a 'safe harbor' blog site on cyber security for families and small businesses with news on cyber threats, risk, data breach, identity thefts, ransomware, cryptocurrency, and vulnerabilities items.

HomeAlerts & NewsOil pipeline Russian company hardware along with other apps and computer hacked to mine Monero coins

December 18, 2017

Oil pipeline Russian company hardware along with other apps and computer hacked to mine Monero coins

On Friday, December 15, Russian authorities said that Transneft, the world’s largest oil pipeline company, was hit by a cyberattack and its computers were hacked to create Monero digital money.

According to Reuters, the company’s spokesman, Idr Deming, said Transneft’s hardware was used to mine the Monero logo without authorization, the Transneft computer automatically downloaded and removed Monero’s mining code from the network. Since limited information has been provided to the media, it is unclear how many coins were generated from the damaged equipment.

Demin also said the company has taken steps to avoid such repetitive crimes.
State-owned Transneft is Russia’s largest oil transport company, focusing mainly on providing solutions for Russia and the Commonwealth of Independent States (CIS). It is currently considered the largest oil pipeline company in the world.

According to Demin, the encrypted money-mining program was downloaded from the Internet by the Transneft PC and subsequently deleted. The press secretary also pointed out that other companies may encounter unauthorized cryptographic money mining project.

Monero Cryptocurrency
Monero is a competitor of bitcoin and the eleventh largest digital currency with a market capitalization of more than $ 5 billion. The currency recently caught the attention of Pirates Bay and NBC’s ShowTime website when it was captured using the CoinHive javascript code to secretly mine Monero coins that use the guest computer’s CPU power.

CoinHive is a company that provides cryptocurrency miners that send any coin mined by the browser to the site owner. However, security firm CloudFlare said secretly using cryptocurrencies is considered malware by miners, and site owners should provide the option the visitor chooses to opt out of.

Monero is tapped by thousands of websites
Sucuri, the Web site security platform, reported last week that 5,500 WordPress-based Web sites were currently infected with malware that not only stole user data, but also tapped the Monero cryptocurrency from visitors’ CPU capabilities.

Monero is aiming for miner coins, is currently the 11th largest cryptocurrency in market capitalization. It issues a token for personal use and pays it without the bank’s involvement. Monero offers more anonymity than bitcoin. Investors, miners, and speculators have become more attractive after the coral reef project started.

In recent months, some well-known websites have been affected, including the Ultimate Fighting Challenge’s pay-per-view platform and on-demand video services running on Showtime.

An aggressive and complex malware attack is currently underway to address various vulnerabilities in Linux and Windows servers with the goal of installing malware to exploit Monero’s cryptocurrency.
Security researchers at F5 Networks discovered the activity, and Zealot placed one of the files on the target server after Zealot.zip.

These attackers are using the same vulnerability as the Equifax hacker
According to Maxim Zavodchik and Liron Segal, two security researchers at F5 Networks, attackers are scanning specific servers on the Internet and using two vulnerabilities, one for Apache Struts (CVE-2017-5638) and one for DotNetNuke ASP.NET CMS CVE-2017-9822) to get started on unpatched machines.

The Apache Struts flaw was the same one used earlier this year by other hackers to breach Equifax, the US financial giant. In addition, a criminal group abused the same vulnerability in April for the Struts server where they installed ransomware, where they installed more than $ 100,000 in ransomware.

For this activity, the Struts vulnerabilities include payloads for both Linux and Windows machines.
In the case of an attacker infected with a Windows machine, attackers also deployed EternalBlue and EternalSynergy, two NSA vulnerabilities revealed by Shadow Broker earlier this year that were used by attackers to move laterally in the victim’s home network and Infected more systems.
Later, they will use PowerShell to download and install the final stages of malware, for this event it is a Monero miner. On Linux, attackers will use Python scripts that appear to be taken from the EmpireProject post development framework and will also install the same Monero miners.

“Drive-on cryptography” Technology

In some cases, the researchers found that some sites use “drive-on cryptography” technology to mine cryptocurrencies from visitors’ personal computers, even if they turn off labels. But the bad news is not over here. Researchers at TrendMicro reported that some applications in the Google Play store infected the cryptocurrency mining code and used the user’s Android device to steal Monero.

Reuters quoted industry experts as saying hackers may follow this model more often. Pavel Lutsik, CRO IT Information Security Project Leader, said:
More and more people realize that in fact, they do not even need to do much and make money from their couches – if not caught. ”
Under current Russian law, anyone who attempts to break into the company’s servers may be sentenced to imprisonment for up to six years. Lutsk told Reuters that the sentence is likely to reach 10 years by 2018.
In October, Russian President Vladimir Putin said the country had to regulate cryptocurrencies and mining.

Hackers earned at least $ 8,500 in Monero
According to information collected by researchers at Monero address F5, the attackers got at least $ 8,500 from the attack, but the organization could have used more Monero wallets, which means the total could be even higher.
F5 experts also point out that attackers can change the payload of the final phase to whatever they want, and the organization can instead install ransomware.

As a side note, the attacker seems to be a big fan of StarCraft because many of the terms and file names used in this campaign come from games such as fans, watchers, overlords, ravens, and more.
Zavodchik and Segal point out that “the complexity that we are currently observing in fanatical sports is leading us to believe that the sport is a threat-evolving, stage-infected chain of advanced and customized malware, with attention to lateral movement Through the network, caused the greatest damage.

RemedyHow to stop CoinHive code using CPU power

Because of the increasing use of CoinHive code, there are several ways to prevent your code from using your computer. For example, there is no Coin and minerBlock extension in the Chrome Web Store to stop any cryptographer from using your computing power. According to the cyber-security report released in October, CoinHive monero digging software became the sixth-largest malware of the month.
The advantage of these extensions is that they are both open source and open to the public, and you can see the source code on Github here and here. In addition, to check if a site uses your computing power to make money, go to the source code and just check the term “CoinHive” or “Coin Hive.” Happy browsing.

Referenced Articles:

Russian oil pipeline computer hacked to mine Monero coins

The current price of 1 Bitcoin is almost USD 20,000 and those who cannot invest in cryptocurrencies find other ways get some. On Friday 15th December, Russian authorities said that Transneft, a state-owned largest oil pipeline company in the world suffered a cyber attack in which its computers were hacked to generate Monero digital currency. According to Reuters, company’s spokesman Igor Demin said that a Transneft computer automatically downloaded and deleted the Monero mining code from the web. It is unclear how many coins were generated from the compromised device since limited information has been provided to the media. “Incidents, where the company’s hardware was used to manufacture cryptocurrency, have been found. It could have a negative impact on the productivity of our processing capacity,” said Transneft Vice President Vladimir Rushailo. Monero is a rival to Bitcoin and eleventh-largest digital currency with a market cap of over $5 billion. The currency recently got attention when The Pirate Bay and NBC’s ShowTime websites were caught using CoinHive javascript code to secretly mine Monero coins using CPU power of visitors’ computer. CoinHive is a firm that provides cryptocurrency miner, which sends any coins mined by the browser to the owner of the website. However, security firm CloudFlare states that secretly using a… Russian oil pipeline computer hacked to mine Monero coins

Monero Mining Malware Hits Russian Pipeline Giant Transneft

The world’s largest oil pipeline operator reportedly had some of its computer systems affected by cryptocurrency mining malware. Russian pipeline giant Transneft, according to Reuters, recently had to clear malware from its systems that clandestinely mined the privacy-oriented cryptocurrency monero. It’s not clear how many computers were impacted, but Reuters quoted a senior Transneft official who referenced multiple “incidents” during which the malware was discovered. “Incidents where the company’s hardware was used to manufacture cryptocurrency have been found. It could have a negative impact on the productivity of our processing capacity,” Transneft vice-president Vladimir Rushailo reportedly told company executives during a meeting yesterday. Transneft said that it has moved to shore up its cybersecurity systems in order to prevent those kinds of malware from being downloaded onto its computer systems. The pipeline company is one of the most high-profile firms to date to be affected by the malware, which effectively operates in the background of a computer and uses spare capacity to mine cryptocurrencies. Several notable websites have been impacted in recent months, including a pay-per-view platform for Ultimate Fighting Challenge and an on-demand video service run by Showtime. According to a cybersecurity report published in October, the CoinHive monero mining… Monero Mining Malware Hits Russian Pipeline Giant Transneft

About The Author

cyberwisdom

Pseudo author name by David S. Eng offers valuable information and cyber threat incident alerts to protect, prevent, mitigate, respond, recover, and learn about Cybersecurity threats to your business and family. CyberWisdom author curated Cyber Security Information and News Feeds and Articles. He has six years of hands on experiences as the principal researcher for DHS Cybersecurity Pilot Program on cyber threat intelligence, risk management, cyber technologies, web collaboration tools.